March 10, 2021 |

Han Santos Privacy Round Up – February 2021


February heralded a slew of new federal and state-driven privacy and Data protection laws, as well as three key events that have implications on data breach protocols and social media privacy.

Noteworthy Events
Technology Areas of Interest

Facebook's $650M BIPA Settlement

  • Class action settlement over violations of the Illinois’ Biometric Information Privacy Act
  • The lawsuit stated that Facebook’s practice of tagging people in photos using facial recognition without their consent violated state law
  • Facebook must now set the “Face Recognition” default setting to “off”
  • For more information: Facebook’s $650M BIPA settlement ‘a make-or-break moment’ (

Investigative report of Facebook privacy practices

Data breach - Elara Caring

  • Elara Caring announces a data breach affecting 100,487 patients. The data breach occurred via unauthorized access to a limited number of corporate email accounts in mid-December 2020.
  • For more information: Elara Caring • Security Info December 2020

Technology Areas of Interest

Financial technology (PCI (Payment Card Industry) SSC (Security Standards Council))

  • Payment Card Industry Security Standards Council (PCI SSC) published Version 1.1 of the PCI Secure Software Lifecycle (Secure SLC) Requirements and Assessment Procedures
  • The PCI Secure SLC expands eligibility beyond payment software vendors including vendors who develop software products for the payment card industry allowing for broader vendor adoption and participation in the Secure SLC Program
  • For more information: PCI Secure SLC Standard v1.1 (

USA: NIST Transport Layer Security


5G Security Controls

News to Follow this Month as it Unfolds

USA: SEC announces 2021 examination priorities

Laws—By State


Bill for Consumer Privacy Act introduced in House of Representatives

  • The Bill would provide for consumer rights such as the right to access, correct, and delete certain personal data, and opt out of collection and use of personal data.
  • The bill provides for enforcement by the Attorney General (no private right of action)
  • For more information: HB216-int.pdf (


Bill for the Florida Privacy Protection Act introduced in State House

  • Establishes new definitions including biometric information, de-identified information, personal information, and profiling
  • Notably the Bill establishes a private right action against businesses who violate any of the provisions
  • For more information: Senate Bill 1734 (2021) - The Florida Senate (


Bill for Consumer Privacy Act introduced to Assembly

Bill for Right to Know Act introduced to Assembly


Petition filed with State Senate for bill on Mass. Information Privacy Act

  • The Information Privacy Act would, among other things, define an automated decision system and biometric information and its exclusions, establish biometric and location information protections, and establish provisions for enforcement and penalties
  • For more information: Bill SD.1726 (


Bill reestablishing privacy commission introduced in State House


Bill for Consumer Protection in Data and Technology Act introduced in State House of Representatives

  • Bill proposes to enhance levels of consumer consent, protection, and transparency throughout the technology industry, to promote consumer protection in data and technology.
  • For more information: Draft Bill Template (

Bill for protection of consumers and genetic information introduced in State House of Representatives

  • The Bill proposes to protect consumer privacy by requiring that a business that collects genetic data from a consumer to provide ancestry or similar information protects the data and keeps it confidential
  • For more information: hj210210.pdf (

Bill for Consumer Data Privacy Act introduced in House of Representative

  • Bill proposes to adopt consumer privacy protections, provide more control over the amount and type of data collected, and adopt other protections equivalent to those provided by the CCPA (California Consumer Protection Act)
  • For more information: Draft Bill Template (


Governor signs the Consumer Data Protection Act (CDPA) into law


Washington Privacy Act passes State Senate

  • The bill for the Washington Privacy Act passed on March 3, 2021. The bill is now in the house “in committee.”
  • For more information: 5062.pdf (



Parliament passes news media and digital platforms bargaining code


UK (United Kingdom) adequacy decision

  • Commission highlighted that it has assessed the UK’s law and practice on personal data protection, and concluded that the UK ensures an equivalent level of protection under the GDPR (General Data Protection Regulation) and the Law Enforcement Directive
  • For more information: Press corner | European Commission (

EU commission addresses data flows in trade strategy

  • Trade strategy that prioritizes new rules for digital trade
  • Strategy seeks to ensure that businesses can benefit from the international free flow of data in full compliance with EU data protection rules
  • For more information: Press corner | European Commission (


Joint advisory on malicious cyber actors targeting Accellion FTA (File Transfer Appliance) customers

Background & About the Team

The Han Santos Privacy Round up is a compellation of current events, recent laws and technologies that impact or implications on corporate privacy and cybersecurity that may impact your business. The Privacy Practice is comprised of Attorneys Alan Thieman and Donna McPartland.

About the Firm

Han Santos is a full-service, minority-owned, law firm, representing companies from formation to exit. The core counseling team includes highly skilled technical, business, and operating professionals that have gone on to become legal experts. This allows Han Santos to provide high-quality, agile counsel to companies in all stages of growth and operation, as well as all aspects of their Corporate, Securities, Privacy, and Intellectual Property Matters.


Use of, access to, and information exchanged on this web page or any of the e-mail links contained within it cannot and does not create an attorney-client relationship between Han Santos, PLLC, and the user or browser. Please do not post any personal or confidential information. You should contact your attorney to obtain advice with respect to any particular issue or problem. Contact us for additional information. One of our lawyers will be happy to discuss the possibility of representation with you. The opinions expressed at or through this site are the opinions of the individual author and may not reflect the opinions of the firm or any individual attorney.